Unknown virus?

View previous topic View next topic Go down

Unknown virus?

Post by amputate on 13th June 2009, 6:34 pm

Hello,

Recently, my roommate decided to download an album directly from a website via my computer since he doesn't have his own. After he had unrard it, my anti-viruses started going haywire and spammed about a million times to block some trojan. My PC froze and shut itself down shortly. I've scanned using MalwareByte's Antimalware a ton of times, and everytime I do it comes with the same "96 infections found".. I've also tried restoring to an earlier point, but I think the virus isn't allowing me to because I've tried about 5 different dates and it keeps saying "System Restore Incomplete." I am currently safe booted with network privileges and I've tried to open HijackThis, but it will not run. Please help Sad tearing!

Btw, I'm not sure if this has anything to do with the virus but it's been messing with my Website as well since they've contacted me telling me some unknown trace is uploading things from a different IP.

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by Belahzur on 13th June 2009, 6:57 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 13th June 2009, 7:19 pm

DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by HP_Administrator at 12:17:58.07 on Sat 06/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1466 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
svchost
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
mSearchAssistant = [You must be registered and logged in to see this link.]
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7c5c0f58-e061-457d-9033-77307f5ed00c} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [AIM (R)] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [phime2002async] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [phime2002a] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [pcdrprofiler]
mRun: [nwiz] nwiz.exe /install
mRun: [mspy2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [kernelfaultcheck] %systemroot%\system32\dumprep 0 -k
mRun: [imjpmig8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\rncsys32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\8kzs7j02.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-7 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-16 130936]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-16 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-16 1095560]
S0 utwtj;utwtj; [x]
S1 3e6c2fe5;3e6c2fe5;c:\windows\system32\drivers\3e6c2fe5.sys [2009-5-24 97216]
S1 82e6c4e9;82e6c4e9;c:\windows\system32\drivers\82e6c4e9.sys [2009-6-2 98636]
S1 fdd6bd9;fdd6bd9;c:\windows\system32\drivers\fdd6bd9.sys [2009-6-13 99422]
S2 avast!antivirus;avast!antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
S2 avast!avscontrolservice;avast!avscontrolservice;c:\windows\system32\avast!avscontrolservice.exe -k netsvcs --> c:\windows\system32\avast!AVSControlService.exe -k netsvcs [?]
S2 fastuserswitchingcompatibility ad-aware service;Fast User Switching Compatibility FastUserSwitchingCompatibility Ad-Aware Service;c:\windows\system32\acelpdecn.exe srv --> c:\windows\system32\acelpdecn.exe srv [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S2 ProtectedStorageLightScribeService;Protected Storage ProtectedStorageLightScribeService;c:\windows\system32\accessx.exe srv --> c:\windows\system32\accessx.exe srv [?]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-11-16 82048]
S3 XDva225;XDva225;\??\c:\windows\system32\xdva225.sys --> c:\windows\system32\XDva225.sys [?]

=============== Created Last 30 ================

2009-06-13 10:42 0 a------- C:\backup.reg
2009-06-13 10:42 135,168 a------- C:\zip.exe
2009-06-13 10:42 19,286 a------- C:\cleanup.exe
2009-06-13 10:42 574 a------- C:\cleanup.bat
2009-06-13 02:40 124,416 a------- c:\windows\system32\avast!AVSControlService.exe
2009-06-13 02:40 99,422 a------- c:\windows\system32\drivers\fdd6bd9.sys
2009-06-13 02:40 29,184 a------- c:\windows\system32\jbnmck.dll
2009-06-13 02:39 36,864 a------- c:\windows\system32\avast!Antivirus.exe
2009-06-11 14:58 447,752 a----r-- c:\windows\system32\vp6vfw.dll
2009-06-11 14:58 --d----- c:\program files\Microsoft WSE
2009-06-11 14:48 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-06-11 14:48 --d----- c:\windows\Logs
2009-06-03 19:02 --d----- c:\docume~1\hp_adm~1\applic~1\uTorrent
2009-06-02 12:34 --d----- c:\program files\Windows Installer Clean Up
2009-06-02 12:34 --d----- c:\program files\MSECACHE
2009-06-02 02:09 2 ----h--- c:\windows\sonce122730.dat
2009-06-02 02:09 --d----- c:\windows\system32\sysloc
2009-06-02 02:09 98,636 a------- c:\windows\system32\drivers\82e6c4e9.sys
2009-06-02 02:08 15,000 a------- c:\windows\system32\yhafd78auhd.dll
2009-06-02 02:08 --d----- c:\docume~1\alluse~1\applic~1\90490926
2009-06-02 02:08 --d----- c:\docume~1\alluse~1\applic~1\10480934
2009-06-02 00:34 --d----- c:\program files\iPod
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-25 22:51 --d----- c:\program files\mIRC
2009-05-25 22:51 --d----- c:\docume~1\hp_adm~1\applic~1\mIRC
2009-05-24 15:16 97,216 a------- c:\windows\system32\drivers\3e6c2fe5.sys
2009-05-22 21:25 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-05-22 21:25 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-05-22 21:22 --d----- c:\program files\MagicISO
2009-05-22 19:17 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-22 19:17 --d----- c:\program files\DAEMON Tools Toolbar
2009-05-22 19:17 --d----- c:\program files\DAEMON Tools Lite
2009-05-22 19:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-22 19:13 --d----- c:\docume~1\hp_adm~1\applic~1\DAEMON Tools Lite
2009-05-19 19:17 --d----- c:\program files\GlobalSCAPE
2009-05-19 18:10 --d----- c:\program files\WinPcap
2009-05-19 18:09 2 ----h--- c:\windows\sto453250.dat
2009-05-19 18:09 100 a--s---- c:\windows\system32\821635520.dat
2009-05-19 18:09 53,248 ---shr-- c:\windows\system32\accessx.exe
2009-05-17 16:52 --d----- c:\program files\No-IP
2009-05-17 04:45 29,696 a------- c:\windows\system32\dllcache\admexs.dll
2009-05-17 04:44 8,192 a------- c:\windows\system32\staxmem.dll
2009-05-17 04:44 8,192 a------- c:\windows\system32\dllcache\staxmem.dll
2009-05-17 04:44 --d----- c:\windows\system32\Logfiles
2009-05-17 04:44 --d----- C:\Inetpub
2009-05-16 19:52 --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-05-14 23:51 3,247 a------- c:\windows\system32\wbem\Outlook_01c9d52986e7b38e.mof

==================== Find3M ====================

2009-06-02 02:09 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-06-02 02:09 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 16:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-23 22:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-22 21:07 66,560 a------- c:\windows\system32\UACfwippfskvuoqaaw.dll
2009-04-22 21:07 19,968 a------- c:\windows\system32\UAChwsdpnbuhleseim.dll
2009-04-22 21:07 19,968 a------- c:\windows\system32\UACikkgsesfxpaidim.dll
2009-04-22 21:07 17,408 a------- c:\windows\system32\UACritsetvsqnyklon.dll
2009-04-22 21:07 25,088 a------- c:\windows\system32\UACjhhnapudxlooxyr.dll
2009-04-22 21:06 47,616 a--sh--- c:\windows\system32\sogasuba.exe
2009-04-21 22:14 112,954 a------- c:\windows\hpoins07.dat
2009-04-21 16:24 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-20 17:37 823 a------- c:\program files\Yahoo! Messenger.lnk
2009-04-20 17:17 438,592 a------- c:\program files\msgr9us.exe
2009-04-19 23:45 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-21 07:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll

============= FINISH: 12:18:21.50 ===============

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by Origin on 13th June 2009, 7:34 pm


1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 13th June 2009, 11:24 pm

Alright, the txt.file was quite big so I'll break it up into a few posts.

ComboFix 09-06-13.03 - HP_Administrator 06/13/2009 16:07.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1631 [GMT -7]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\10480934
c:\documents and settings\All Users\Application Data\90490926
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\accessx.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sysloc
c:\windows\system32\UACavqetikvgqyfgoj.dat
c:\windows\system32\UACfteggyeanmmpply.log
c:\windows\system32\UACfwippfskvuoqaaw.dll
c:\windows\system32\UAChwsdpnbuhleseim.dll
c:\windows\system32\UACikkgsesfxpaidim.dll
c:\windows\system32\UACjhhnapudxlooxyr.dll
c:\windows\system32\UACritsetvsqnyklon.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
C:\cleanup.exe
c:\documents and settings\All Users\Application Data\10480934\10480934.exe
c:\documents and settings\All Users\Application Data\10480934\10480934.glu
c:\documents and settings\All Users\Application Data\10480934\pc10480934cnf
c:\documents and settings\All Users\Application Data\10480934\pc10480934ins
c:\documents and settings\All Users\Application Data\90490926\90490926.exe
c:\documents and settings\HP_Administrator\Application Data\wiaserva.log
c:\documents and settings\HP_Administrator\Application Data\wiaservg.log
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\rncsys32.exe
c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\615289520.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
c:\windows\kb913800.exe
c:\windows\sonce122730.dat
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\drivers\3e6c2fe5.sys
c:\windows\system32\drivers\82e6c4e9.sys
c:\windows\system32\drivers\fdd6bd9.sys
c:\windows\system32\jbnmck.dll
c:\windows\system32\mssfc.dll
c:\windows\system32\sfcfiles.dat
c:\windows\system32\sysloc\sysloc.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\yhafd78auhd.dll
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
c:\windows\Temp\3996116094.exe
D:\Autorun.inf
D:\Desktop.ini

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sfcfiles.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP46\A0008405.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Legacy_fastuserswitchingcompatibility_ad-aware_service
-------\Legacy_NPF
-------\Legacy_PROTECTEDSTORAGELIGHTSCRIBESERVICE
-------\Service_avast!antivirus
-------\Service_fastuserswitchingcompatibility ad-aware service
-------\Service_npf
-------\Service_ProtectedStorageLightScribeService
-------\Service_UACd.sys
-------\Legacy_avast!avscontrolservice
-------\Service_3e6c2fe5
-------\Service_82e6c4e9
-------\Service_avast!avscontrolservice
-------\Service_fdd6bd9


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.


Last edited by amputate on 13th June 2009, 11:27 pm; edited 1 time in total

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 13th June 2009, 11:26 pm

2009-06-13 23:14 . 2004-08-10 04:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-13 17:42 . 2009-06-13 17:42 0 ----a-w- C:\backup.reg
2009-06-13 17:42 . 2009-06-13 17:42 574 ----a-w- C:\cleanup.bat
2009-06-13 17:42 . 2009-06-13 17:42 135168 ----a-w- C:\zip.exe
2009-06-13 16:12 . 2009-06-13 16:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-13 09:57 . 2009-06-08 21:00 110592 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\8kzs7j02.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2009-06-11 21:58 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-11 21:58 . 2009-06-11 21:58 10134 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-11 21:58 . 2009-06-11 21:58 -------- d-----w- c:\program files\Microsoft WSE
2009-06-11 21:48 . 2006-09-28 23:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-11 21:48 . 2009-06-11 21:48 -------- d-----w- c:\windows\Logs
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\program files\Electronic Arts
2009-06-04 02:02 . 2009-06-13 18:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-06-02 19:34 . 2009-06-02 19:34 3584 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-02 19:34 . 2009-06-02 19:34 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-02 19:34 . 2009-06-02 19:34 -------- d-----w- c:\program files\MSECACHE
2009-06-02 09:11 . 2009-06-02 09:11 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-06-02 09:10 . 2009-06-02 09:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-06-02 09:09 . 2009-06-02 09:09 19968 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\icwsetup.exe
2009-06-02 07:34 . 2009-06-02 07:34 -------- d-----w- c:\program files\iPod
2009-06-02 07:26 . 2009-06-02 07:26 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-02 07:26 . 2009-06-02 07:26 -------- d-----w- c:\program files\Safari
2009-05-26 05:51 . 2009-06-11 16:17 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\mIRC
2009-05-26 05:51 . 2009-06-09 19:44 -------- d-----w- c:\program files\mIRC
2009-05-23 04:25 . 2007-02-20 23:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-05-23 04:25 . 2007-02-20 23:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2009-05-23 04:22 . 2009-05-23 04:22 -------- d-----w- c:\program files\MagicISO
2009-05-23 02:17 . 2009-05-23 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-23 02:17 . 2009-05-23 02:22 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-23 02:17 . 2009-05-28 23:01 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-23 02:13 . 2009-05-23 02:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-23 02:13 . 2009-05-23 02:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DAEMON Tools Lite
2009-05-20 06:52 . 2007-02-21 09:09 2781184 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Adobe\Dreamweaver 9\Configuration\Flash Player\authplay.dll
2009-05-20 02:18 . 2009-05-20 02:18 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GlobalSCAPE
2009-05-20 02:18 . 2009-05-20 02:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GlobalSCAPE
2009-05-20 02:17 . 2009-05-20 02:17 -------- d-----w- c:\program files\GlobalSCAPE
2009-05-20 01:09 . 2009-05-20 01:09 2 ---h--w- c:\windows\sto453250.dat
2009-05-20 01:09 . 2009-06-04 01:22 100 --s-a-w- c:\windows\system32\821635520.dat
2009-05-17 23:52 . 2009-05-17 23:52 -------- d-----w- c:\program files\No-IP
2009-05-17 11:45 . 2004-08-09 21:00 29696 ----a-w- c:\windows\system32\dllcache\admexs.dll
2009-05-17 11:44 . 2004-08-09 21:00 8192 ----a-w- c:\windows\system32\staxmem.dll
2009-05-17 11:44 . 2004-08-09 21:00 8192 ----a-w- c:\windows\system32\dllcache\staxmem.dll
2009-05-17 11:44 . 2009-05-17 11:44 -------- d-----w- c:\windows\system32\Logfiles
2009-05-17 11:44 . 2009-05-17 11:44 -------- d-----w- C:\Inetpub
2009-05-17 02:52 . 2009-05-17 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-05-17 02:49 . 2009-05-17 02:49 -------- d-----w- c:\program files\Adobe Media Player
2009-05-17 02:47 . 2009-05-17 02:47 -------- d-----w- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 23:16 . 2009-04-17 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 23:14 . 2004-08-10 04:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-11 21:40 . 2006-11-17 03:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-08 20:00 . 2009-04-24 05:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-06-07 09:57 . 2009-04-07 23:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-06-07 00:23 . 2009-04-10 09:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2009-06-02 19:09 . 2009-04-17 01:57 -------- d-----w- c:\program files\Spyware Doctor
2009-06-02 07:34 . 2009-04-07 23:33 -------- d-----w- c:\program files\iTunes
2009-06-02 07:34 . 2009-04-07 23:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-02 07:32 . 2009-04-07 23:33 -------- d-----w- c:\program files\QuickTime
2009-05-29 20:36 . 2009-04-07 23:32 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 20:36 . 2009-04-07 23:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-20 06:45 . 2006-11-17 03:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-20 04:33 . 2006-11-17 03:22 119976 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-09 21:00 . 2009-05-09 21:00 -------- d-----w- c:\program files\AutoIt3
2009-05-08 13:59 . 2009-05-08 13:59 -------- d-----w- c:\program files\AhnLab
2009-05-07 20:53 . 2009-05-06 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-05-07 06:40 . 2009-05-07 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 06:36 . 2006-11-17 03:26 -------- d-----w- c:\program files\Microsoft Works
2009-05-07 06:36 . 2009-05-07 06:36 -------- d-----w- c:\program files\MSBuild
2009-05-07 06:35 . 2009-05-07 06:35 -------- d-----w- c:\program files\Microsoft.NET
2009-05-06 07:08 . 2009-05-06 07:06 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-05-06 07:07 . 2009-05-06 07:07 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-05-06 07:06 . 2009-05-06 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-05-06 07:06 . 2009-05-06 07:06 -------- d-----w- c:\program files\Logitech
2009-05-05 21:48 . 2009-05-05 21:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\teamspeak2
2009-05-05 21:48 . 2009-05-05 21:48 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-05-03 06:10 . 2009-04-24 05:34 -------- d-----w- c:\program files\LimeWire
2009-05-02 01:02 . 2009-05-02 01:02 -------- d-----w- c:\program files\Windows Journal Viewer
2009-04-30 02:56 . 2009-04-08 07:31 -------- d-----w- c:\program files\BitLord
2009-04-24 05:35 . 2009-04-24 05:35 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-24 05:35 . 2006-11-17 02:53 -------- d-----w- c:\program files\Java
2009-04-24 05:35 . 2009-04-24 05:35 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-04-23 04:14 . 2009-04-08 07:32 -------- d-----w- c:\program files\Conduit
2009-04-23 04:13 . 2006-11-17 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-23 04:06 . 2009-01-23 04:06 47616 --sha-w- c:\windows\system32\sogasuba.exe
2009-04-22 05:15 . 2009-04-22 05:03 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-04-22 05:14 . 2009-04-22 05:03 112954 ----a-w- c:\windows\hpoins07.dat
2009-04-22 05:13 . 2009-04-22 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-04-22 05:13 . 2006-11-17 03:12 -------- d-----w- c:\program files\HP
2009-04-22 05:12 . 2006-11-17 03:24 -------- d-----w- c:\program files\Hewlett-Packard
2009-04-22 05:11 . 2009-04-22 05:11 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-04-21 23:24 . 2009-04-21 23:24 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-21 23:24 . 2009-04-07 23:24 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-21 00:38 . 2009-04-21 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-21 00:37 . 2009-04-21 00:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-04-21 00:37 . 2009-04-21 00:37 823 ----a-w- c:\program files\Yahoo! Messenger.lnk
2009-04-21 00:36 . 2006-11-17 03:41 -------- d-----w- c:\program files\Yahoo!
2009-04-21 00:17 . 2009-04-21 00:17 438592 ----a-w- c:\program files\msgr9us.exe
2009-04-20 06:45 . 2009-04-17 02:05 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-04-19 20:14 . 2006-11-17 03:19 -------- d-----w- c:\program files\HP Games
2009-04-19 20:14 . 2006-11-17 03:19 -------- d-----w- c:\program files\WildTangent
2009-04-19 20:14 . 2006-11-17 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-04-19 10:05 . 2009-04-19 10:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-19 10:01 . 2009-04-19 10:01 -------- d-----w- c:\program files\MSXML 4.0
2009-04-19 08:43 . 2009-04-19 08:43 -------- d-----w- c:\program files\JAP
2009-04-18 01:04 . 2009-04-18 01:04 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-18 00:15 . 2009-04-18 00:14 52770576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2009-04-17 23:40 . 2009-04-08 02:15 -------- d-----w- c:\program files\Last.fm
2009-04-17 23:13 . 2009-04-17 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 23:13 . 2009-04-17 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 07:10 . 2009-04-12 21:36 0 ----a-w- c:\windows\Sjakahixusoyaq.bin
2009-04-17 02:47 . 2009-04-17 02:47 -------- d-----w- c:\program files\Trend Micro
2009-04-17 02:44 . 2009-04-17 02:33 -------- d-----w- c:\program files\True Sword 5
2009-04-17 02:33 . 2009-04-17 02:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\True Sword
2009-04-17 02:20 . 2009-04-17 01:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-04-17 01:57 . 2009-04-17 01:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\PC Tools
2009-04-17 01:57 . 2009-04-17 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 01:57 . 2009-04-17 01:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2009-04-16 08:28 . 2009-04-16 08:28 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sony Setup
2009-04-16 08:27 . 2009-04-16 08:27 -------- d-----w- c:\program files\Sony Setup
2009-04-16 08:20 . 2009-04-12 21:36 408 ----a-w- c:\windows\Fsesob.dat
2009-04-08 22:35 . 2009-04-07 23:14 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-04-08 02:16 . 2009-04-08 02:16 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-04-08 02:16 . 2009-04-08 02:16 184 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2009-04-08 02:16 . 2009-04-08 02:16 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2009-04-07 23:23 . 2009-04-07 23:23 167376 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\8kzs7j02.default\FlashGot.exe
2009-04-07 23:20 . 2009-04-07 23:20 0 ----a-w- c:\windows\nsreg.dat
2009-04-06 22:32 . 2009-04-17 23:13 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-04-17 23:13 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-19 23:32 . 2009-04-07 23:34 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 00:55 . 2009-04-21 00:36 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 13th June 2009, 11:26 pm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM (R)"="c:\program files\AIM95\aim.exe" [2002-07-26 57344]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-26 518488]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"phime2002async"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"phime2002a"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"mspy2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 59392]
"imjpmig8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-09 208952]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"53:UDP"= 53:UDP:Promo

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/7/2009 4:24 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/16/2009 7:05 PM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/16/2009 6:57 PM 348752]
S0 utwtj;utwtj; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/16/2006 8:09 PM 82048]
S3 XDva225;XDva225;\??\c:\windows\system32\XDva225.sys --> c:\windows\system32\XDva225.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
HKLM-Run-pcdrprofiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1856)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\CF4451.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-06-13 16:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 23:22

Pre-Run: 183,559,905,280 bytes free
Post-Run: 185,073,037,312 bytes free

348 --- E O F --- 2009-04-20 10:00

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 13th June 2009, 11:40 pm

Uhh.. I just noticed PC Doctor was still running, is it safe for me to re-scan using Combo-Fix?

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by Belahzur on 14th June 2009, 12:00 am

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitLord
  • Limewire

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
utwtj

File::
c:\windows\sto453250.dat
c:\windows\Sjakahixusoyaq.bin
c:\windows\Fsesob.dat

Folder::
c:\program files\LimeWire
c:\program files\BitLord

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 14th June 2009, 12:43 am

I've uninstalled Limewire but BitLord isn't in the Add/Remove Programs list, here's the log:

ComboFix 09-06-13.03 - HP_Administrator 06/13/2009 17:31.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1643 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\Fsesob.dat"
"c:\windows\Sjakahixusoyaq.bin"
"c:\windows\sto453250.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitLord
c:\program files\LimeWire
c:\program files\BitLord\BitLord.xml
c:\program files\BitLord\Downloads.xml
c:\program files\BitLord\lang\lang_ar_ae.xml
c:\program files\BitLord\lang\lang_bg_bg.xml
c:\program files\BitLord\lang\lang_ca_es.xml
c:\program files\BitLord\lang\lang_cz_cz.xml
c:\program files\BitLord\lang\lang_da_dk.xml
c:\program files\BitLord\lang\lang_de_de.xml
c:\program files\BitLord\lang\lang_el_gr.xml
c:\program files\BitLord\lang\lang_en_us.xml
c:\program files\BitLord\lang\lang_es_ar.xml
c:\program files\BitLord\lang\lang_es_es.xml
c:\program files\BitLord\lang\lang_et_ee.xml
c:\program files\BitLord\lang\lang_fi_fi.xml
c:\program files\BitLord\lang\lang_fr_fr.xml
c:\program files\BitLord\lang\lang_gl_es.xml
c:\program files\BitLord\lang\lang_he_il.xml
c:\program files\BitLord\lang\lang_hu_hu.xml
c:\program files\BitLord\lang\lang_it_it.xml
c:\program files\BitLord\lang\lang_jp_jp.xml
c:\program files\BitLord\lang\lang_ko_kr.xml
c:\program files\BitLord\lang\lang_nb_no.xml
c:\program files\BitLord\lang\lang_nl_nl.xml
c:\program files\BitLord\lang\lang_pl_pl.xml
c:\program files\BitLord\lang\lang_pt_br.xml
c:\program files\BitLord\lang\lang_pt_pt.xml
c:\program files\BitLord\lang\lang_ro_ro.xml
c:\program files\BitLord\lang\lang_ru_ru.xml
c:\program files\BitLord\lang\lang_sk_sk.xml
c:\program files\BitLord\lang\lang_sl_si.xml
c:\program files\BitLord\lang\lang_sr_sr.xml
c:\program files\BitLord\lang\lang_sv_se.xml
c:\program files\BitLord\lang\lang_th_th.xml
c:\program files\BitLord\lang\lang_tr_tr.xml
c:\program files\BitLord\lang\lang_va_es.xml
c:\program files\BitLord\lang\lang_zh_tw.xml
c:\program files\BitLord\rules\ipfilter.dat
c:\program files\BitLord\Torrents\17 Again Original Soundtrack - Includes Covers.torrent
c:\program files\BitLord\Torrents\17 Again Original Soundtrack - Includes Covers.xml
c:\program files\BitLord\Torrents\Aaliyah - Dedication (2008) - R&B - BigGod.torrent
c:\program files\BitLord\Torrents\Aaliyah - Dedication (2008) - R&B - BigGod.xml
c:\program files\BitLord\Torrents\iDump_Setup.exe.torrent
c:\program files\BitLord\Torrents\iDump_Setup.exe.xml
c:\program files\BitLord\Torrents\Malwarebytes_1_.Anti-Malware.v1.33.torrent
c:\program files\BitLord\Torrents\Malwarebytes_1_.Anti-Malware.v1.33.xml
c:\program files\BitLord\Torrents\N.A.S.A. - The Spirit Of Apollo (2009)[tRg music release].torrent
c:\program files\BitLord\Torrents\N.A.S.A. - The Spirit Of Apollo (2009)[tRg music release].xml
c:\program files\BitLord\Torrents\photoshop cs3 + crack.torrent
c:\program files\BitLord\Torrents\photoshop cs3 + crack.xml
c:\program files\BitLord\Torrents\Role.Models[2008][Unrated.Edition]DvDrip-aXXo.torrent
c:\program files\BitLord\Torrents\Role.Models[2008][Unrated.Edition]DvDrip-aXXo.xml
c:\program files\BitLord\Torrents\Sex.Drive[2008][Unrated.Edition]DvDrip-aXXo.torrent
c:\program files\BitLord\Torrents\Sex.Drive[2008][Unrated.Edition]DvDrip-aXXo.xml
c:\program files\BitLord\Torrents\Singorama.rar.torrent
c:\program files\BitLord\Torrents\Singorama.rar.xml
c:\program files\BitLord\Torrents\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED.torrent
c:\program files\BitLord\Torrents\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED.xml
c:\program files\BitLord\Torrents\Sony Vegas Pro 8.0c Build 260.torrent
c:\program files\BitLord\Torrents\Sony Vegas Pro 8.0c Build 260.xml
c:\program files\BitLord\Torrents\Viva La Vida.torrent
c:\program files\BitLord\Torrents\Viva La Vida.xml
c:\program files\BitLord\Torrents\WALT DISNEYS ALADDIN [MUSICAL MASTERPIECE EDITION][FULL][DVDRIP][ENG]-kidzcorner.torrent
c:\program files\BitLord\Torrents\WALT DISNEYS ALADDIN [MUSICAL MASTERPIECE EDITION][FULL][DVDRIP][ENG]-kidzcorner.xml
c:\program files\BitLord\Torrents\WALT DISNEYS SLEEPING BEAUTY[DVDRIP][ENG]@KIDZCORNER RIP.torrent
c:\program files\BitLord\Torrents\WALT DISNEYS SLEEPING BEAUTY[DVDRIP][ENG]@KIDZCORNER RIP.xml
c:\program files\BitLord\Torrents\WavePad.rar.torrent
c:\program files\BitLord\Torrents\WavePad.rar.xml
c:\program files\BitLord\Torrents\Yellowcard - Lights And Sounds.torrent
c:\program files\BitLord\Torrents\Yellowcard - Lights And Sounds.xml
c:\program files\LimeWire\hs_err_pid4648.log
c:\windows\Fsesob.dat
c:\windows\Sjakahixusoyaq.bin
c:\windows\sto453250.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_utwtj


((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-13 17:42 . 2009-06-13 17:42 0 ----a-w- C:\backup.reg
2009-06-13 17:42 . 2009-06-13 17:42 574 ----a-w- C:\cleanup.bat
2009-06-13 17:42 . 2009-06-13 17:42 135168 ----a-w- C:\zip.exe
2009-06-13 16:12 . 2009-06-13 16:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-13 09:57 . 2009-06-08 21:00 110592 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\8kzs7j02.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2009-06-11 21:58 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-11 21:58 . 2009-06-11 21:58 10134 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-11 21:58 . 2009-06-11 21:58 -------- d-----w- c:\program files\Microsoft WSE
2009-06-11 21:48 . 2006-09-28 23:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-11 21:48 . 2009-06-11 21:48 -------- d-----w- c:\windows\Logs
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\program files\Electronic Arts
2009-06-04 02:02 . 2009-06-13 18:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-06-02 19:34 . 2009-06-02 19:34 3584 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-02 19:34 . 2009-06-02 19:34 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-02 19:34 . 2009-06-02 19:34 -------- d-----w- c:\program files\MSECACHE
2009-06-02 09:11 . 2009-06-02 09:11 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-06-02 09:10 . 2009-06-02 09:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-06-02 09:09 . 2009-06-02 09:09 19968 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\icwsetup.exe
2009-06-02 07:34 . 2009-06-02 07:34 -------- d-----w- c:\program files\iPod
2009-06-02 07:26 . 2009-06-02 07:26 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-02 07:26 . 2009-06-02 07:26 -------- d-----w- c:\program files\Safari
2009-05-26 05:51 . 2009-06-11 16:17 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\mIRC
2009-05-26 05:51 . 2009-06-09 19:44 -------- d-----w- c:\program files\mIRC
2009-05-23 04:25 . 2007-02-20 23:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-05-23 04:25 . 2007-02-20 23:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2009-05-23 04:22 . 2009-05-23 04:22 -------- d-----w- c:\program files\MagicISO
2009-05-23 02:17 . 2009-05-23 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-23 02:17 . 2009-05-23 02:22 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-23 02:17 . 2009-05-28 23:01 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-23 02:13 . 2009-05-23 02:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-23 02:13 . 2009-05-23 02:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DAEMON Tools Lite
2009-05-20 06:52 . 2007-02-21 09:09 2781184 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Adobe\Dreamweaver 9\Configuration\Flash Player\authplay.dll
2009-05-20 02:18 . 2009-05-20 02:18 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GlobalSCAPE
2009-05-20 02:18 . 2009-05-20 02:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GlobalSCAPE
2009-05-20 02:17 . 2009-05-20 02:17 -------- d-----w- c:\program files\GlobalSCAPE
2009-05-20 01:09 . 2009-06-04 01:22 100 --s-a-w- c:\windows\system32\821635520.dat
2009-05-17 23:52 . 2009-05-17 23:52 -------- d-----w- c:\program files\No-IP
2009-05-17 11:45 . 2004-08-09 21:00 29696 ----a-w- c:\windows\system32\dllcache\admexs.dll
2009-05-17 11:44 . 2004-08-09 21:00 8192 ----a-w- c:\windows\system32\staxmem.dll
2009-05-17 11:44 . 2004-08-09 21:00 8192 ----a-w- c:\windows\system32\dllcache\staxmem.dll
2009-05-17 11:44 . 2009-05-17 11:44 -------- d-----w- c:\windows\system32\Logfiles
2009-05-17 11:44 . 2009-05-17 11:44 -------- d-----w- C:\Inetpub
2009-05-17 02:52 . 2009-05-17 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-05-17 02:49 . 2009-05-17 02:49 -------- d-----w- c:\program files\Adobe Media Player
2009-05-17 02:47 . 2009-05-17 02:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
.

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 14th June 2009, 12:45 am

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 23:39 . 2009-04-17 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 23:14 . 2004-08-10 04:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-11 21:40 . 2006-11-17 03:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-08 20:00 . 2009-04-24 05:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-06-07 09:57 . 2009-04-07 23:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-06-07 00:23 . 2009-04-10 09:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2009-06-02 19:09 . 2009-04-17 01:57 -------- d-----w- c:\program files\Spyware Doctor
2009-06-02 07:34 . 2009-04-07 23:33 -------- d-----w- c:\program files\iTunes
2009-06-02 07:34 . 2009-04-07 23:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-02 07:32 . 2009-04-07 23:33 -------- d-----w- c:\program files\QuickTime
2009-05-29 20:36 . 2009-04-07 23:32 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 20:36 . 2009-04-07 23:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-20 06:45 . 2006-11-17 03:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-20 04:33 . 2006-11-17 03:22 119976 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-09 21:00 . 2009-05-09 21:00 -------- d-----w- c:\program files\AutoIt3
2009-05-08 13:59 . 2009-05-08 13:59 -------- d-----w- c:\program files\AhnLab
2009-05-07 20:53 . 2009-05-06 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-05-07 06:40 . 2009-05-07 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 06:36 . 2006-11-17 03:26 -------- d-----w- c:\program files\Microsoft Works
2009-05-07 06:36 . 2009-05-07 06:36 -------- d-----w- c:\program files\MSBuild
2009-05-07 06:35 . 2009-05-07 06:35 -------- d-----w- c:\program files\Microsoft.NET
2009-05-06 07:08 . 2009-05-06 07:06 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-05-06 07:07 . 2009-05-06 07:07 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-05-06 07:06 . 2009-05-06 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-05-06 07:06 . 2009-05-06 07:06 -------- d-----w- c:\program files\Logitech
2009-05-05 21:48 . 2009-05-05 21:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\teamspeak2
2009-05-05 21:48 . 2009-05-05 21:48 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-05-02 01:02 . 2009-05-02 01:02 -------- d-----w- c:\program files\Windows Journal Viewer
2009-04-24 05:35 . 2009-04-24 05:35 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-24 05:35 . 2006-11-17 02:53 -------- d-----w- c:\program files\Java
2009-04-24 05:35 . 2009-04-24 05:35 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-04-23 04:14 . 2009-04-08 07:32 -------- d-----w- c:\program files\Conduit
2009-04-23 04:13 . 2006-11-17 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-23 04:06 . 2009-01-23 04:06 47616 --sha-w- c:\windows\system32\sogasuba.exe
2009-04-22 05:15 . 2009-04-22 05:03 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-04-22 05:14 . 2009-04-22 05:03 112954 ----a-w- c:\windows\hpoins07.dat
2009-04-22 05:13 . 2009-04-22 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-04-22 05:13 . 2006-11-17 03:12 -------- d-----w- c:\program files\HP
2009-04-22 05:12 . 2006-11-17 03:24 -------- d-----w- c:\program files\Hewlett-Packard
2009-04-22 05:11 . 2009-04-22 05:11 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-04-21 23:24 . 2009-04-21 23:24 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-21 23:24 . 2009-04-07 23:24 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-21 00:38 . 2009-04-21 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-21 00:37 . 2009-04-21 00:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-04-21 00:37 . 2009-04-21 00:37 823 ----a-w- c:\program files\Yahoo! Messenger.lnk
2009-04-21 00:36 . 2006-11-17 03:41 -------- d-----w- c:\program files\Yahoo!
2009-04-21 00:17 . 2009-04-21 00:17 438592 ----a-w- c:\program files\msgr9us.exe
2009-04-20 06:45 . 2009-04-17 02:05 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-04-19 20:14 . 2006-11-17 03:19 -------- d-----w- c:\program files\HP Games
2009-04-19 20:14 . 2006-11-17 03:19 -------- d-----w- c:\program files\WildTangent
2009-04-19 20:14 . 2006-11-17 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-04-19 10:05 . 2009-04-19 10:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-19 10:01 . 2009-04-19 10:01 -------- d-----w- c:\program files\MSXML 4.0
2009-04-19 08:43 . 2009-04-19 08:43 -------- d-----w- c:\program files\JAP
2009-04-18 01:04 . 2009-04-18 01:04 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-18 00:15 . 2009-04-18 00:14 52770576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2009-04-17 23:40 . 2009-04-08 02:15 -------- d-----w- c:\program files\Last.fm
2009-04-17 23:13 . 2009-04-17 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 23:13 . 2009-04-17 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 02:47 . 2009-04-17 02:47 -------- d-----w- c:\program files\Trend Micro
2009-04-17 02:44 . 2009-04-17 02:33 -------- d-----w- c:\program files\True Sword 5
2009-04-17 02:33 . 2009-04-17 02:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\True Sword
2009-04-17 02:20 . 2009-04-17 01:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-04-17 01:57 . 2009-04-17 01:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\PC Tools
2009-04-17 01:57 . 2009-04-17 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 01:57 . 2009-04-17 01:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2009-04-16 08:28 . 2009-04-16 08:28 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sony Setup
2009-04-16 08:27 . 2009-04-16 08:27 -------- d-----w- c:\program files\Sony Setup
2009-04-08 22:35 . 2009-04-07 23:14 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-04-08 02:16 . 2009-04-08 02:16 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-04-08 02:16 . 2009-04-08 02:16 184 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2009-04-08 02:16 . 2009-04-08 02:16 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2009-04-07 23:23 . 2009-04-07 23:23 167376 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\8kzs7j02.default\FlashGot.exe
2009-04-07 23:20 . 2009-04-07 23:20 0 ----a-w- c:\windows\nsreg.dat
2009-04-06 22:32 . 2009-04-17 23:13 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-04-17 23:13 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-19 23:32 . 2009-04-07 23:34 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 00:55 . 2009-04-21 00:36 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM (R)"="c:\program files\AIM95\aim.exe" [2002-07-26 57344]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-26 518488]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"phime2002async"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"phime2002a"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-09 455168]
"mspy2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 59392]
"imjpmig8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-09 208952]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"53:UDP"= 53:UDP:Promo

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/7/2009 4:24 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/16/2009 7:05 PM 130936]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/16/2006 8:09 PM 82048]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/16/2009 6:57 PM 348752]
S3 XDva225;XDva225;\??\c:\windows\system32\XDva225.sys --> c:\windows\system32\XDva225.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath -

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 14th June 2009, 12:45 am

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 17:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1312)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-06-14 17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 00:41
ComboFix2.txt 2009-06-13 23:22

Pre-Run: 185,149,190,144 bytes free
Post-Run: 185,121,001,472 bytes free

344 --- E O F --- 2009-04-20 10:00

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown virus?

Post by Belahzur on 14th June 2009, 1:01 am

Hello.
Delete the following file in bold:

c:\windows\system32\821635520.dat

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown virus?

Post by amputate on 14th June 2009, 2:22 am

I've deleted that file and so far it's going great! I ran Malwarebytes just in case I messed up some step in the process and no infections whatsoever. Thank you so much!!

amputate
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27352
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum